Life notes and ideas from a security pro who lives in the mountains and does a lot of cycling, skiing, dirt biking, writing, coding, and thinking. Twitter @k3strel

Monday, March 10, 2014

Threat Agent Profile: Government Cyber Warfare

Cyber warfare encompasses nation-state activities taken
against enemy computer systems and networks with the intent of controlling,
compromising, or disabling function through electronic methods. The potential
impact of cyber warfare is perhaps best described by an unnamed Chinese general
who stated in 1996, “We can make the enemy's command centers not work by
changing their data system. We can cause the enemy's headquarters to make
incorrect judgment(s) by sending disinformation. We can dominate the enemy's
banking system and even its entire social order.”[1]

In 2007, according to a Gartner report, thirty nations
were developing cyber warfare capabilities and predicted that 30% of all
nations will have cyber warfare capabilities by 2012.[2]The United States is leading the world in
investment in cyber warfare infrastructure.In 2006 the U.S. announced the creation of the Air Force Cyberspace
Command.During the announcement of the
division, Secretary of the Air Force Michael Wynne said “The aim is to develop
a major command that stands alongside Air Force Space Command and Air Combat
Command as the provider of forces that the President, combatant commander and
the American people can rely on for preserving the freedom of access and
commerce, in air, space, and now cyberspace.”[3]

Cyber Warheads – Stuxnet

Until early 2010, what a cyber weapon would actually look
like, when it would be first used, and against whom and what it would be
launched against remained in the realm of conjecture. On June 17, 2010, the
Belarus-based security firm VirusBlokAda Ltd discovered a new piece of malware
resident on an Iranian-based client’s system that made cyber warfare manifest.
Stuxnet isn’t just a one-off piece of malware. It is a framework for development
of future cyber-warheads.

In short, the function of
Stuxnet is to damage the Iranian Natanz nuclear fuel enrichment plant and,
possibly, the Iranian Bushehr nuclear power plant. Nuclear fuel enrichment
plants use centrifuges to produce low enriched uranium. Stuxnet reprograms the
Siemens industrial control system used at the Natanz enrichment facility to
cause the IR-1 centrifuges to spin at rates and in patterns harmful to the
centrifuges. Stuxnet also shutdown related warning and safety controls that
would alert plant operators of the odd centrifuge behavior.

While Stuxnet infections did
not remain isolated to Iran, data collected by Symantec through its monitoring
infrastructure revealed that Iran hosted 58% of the total infected systems. Indonesia
and India followed distantly with 18% and 10% of the total infected hosts.[4]
And, it seems to have achieved at least some of its intended effect. In late
2009 to early 2010 Iran replaced about 1,000 IR-1 centrifuges at their Natanz
facility.On November 23, 2010, the
leader of Iran’s Atomic Energy Organization, Ali Akbar Salehi, confirmed
reports of cyber attacks against Iran’s nuclear facilities: “One year and
several months ago, Westerners sent a virus to [our] country’s nuclear sites.”
On November 29, 2010, Iranian President Mohmoud Ahmadenejad confirmed the
reports in a news conference. “They succeeded in creating problems for a
limited number of our centrifuges with the software they had installed in
electronic parts.”[5]

Natanz Hijacking Requirement

Stuxnet Solution

The location of the Natanz industrial control systems is not known, so the software would have to crawl systems autonomously and auto detect if it was on one of the control systems.

Stuxnet contains four zero-day vulnerabilities for spreading through network communications and through USB drives and for escalating local privileges. Additionally, it copies itself to remote computers through network shares. Once on a system, Stuxnet examines its host to determine if it in fact is a system used to control IR-1 centrifuges known to be in use at Natanz.

The industrial control systems (ICS) are not connected to any network that is connected to the Internet, so the malware has to jump the network air gap.

The malware has to operate undetected for a long period of time to prevent detection before achieving its objectives.

Stuxnet employs advanced rootkit techniques and malicious binary driver files are signed using stolen valid digital certificates to avoid detection. It also contains features to bypass security products.

The malware would need to be able to update without having to call back to a command and control server.

Stuxnet-infected systems update each other using a peer-to-peer mechanism. Infected systems search for each other on their LAN. When one Stuxnet install detects another, they exchange version information. If the versions are not the same, the older instance is updated from the newer one.

The IR-1 centrifuge attack code would need to work against the exact configuration of the programmable logic controllers used at Natanz.

Stuxnet contains the first-ever programmable logic controller rootkit that hijacks the control system and disables alarms and modifies alerting messages to remain undetected by plant operators.

Compromising the industrial
control systems of the Natanz fuel enrichment processing facilities was no
trivial task. Once released, the malware had to autonomously achieve some
seriously daunting tasks. Ralph Langner, the pre-eminent
Stuxnet expert, summed up Stuxnet best. “Stuxnet is like the arrival of an F-35
fighter jet on a World War I battlefield. The technology is that much superior
to anything ever seen before, and to what was assumed possible.”[6]

With Stuxnet out of the bag,
Governments around the world are scrambling to respond; assessing the exposure
of their own critical infrastructure to Stuxnet-like malware and, no doubt,
developing their own cyber warheads for use against all sorts of industrial
control systems.

Targets

One of the prime target of cyber weaponry is critical
infrastructure controlled through electronic Supervisory Control and Data
Acquisition (SCADA) systems. The SCADA systems allow remote monitoring and
control of a broad deployment of physical world infrastructure. In the hands of
asset owners and operators SCADA systems greatly increase operational
efficiencies and capabilities. In the wrong hands SCADA systems could disrupt or
corrupt delivery of essential services. Consider how SCADA systems are used
across a few industries:

Water
– Water Works organizations use SCADA systems to monitor water quality, flow,
pressure, and operational status. They also use SCADA systems to control water
production, distribution, and blending. Back in 2008, a California municipality published details of their SCADA water systems on its web site, going as far as showing a
screenshot of their SCADA Human-Machine Interface (HMI).Probably not a great idea.

Power
Generation – Power generators use SCADA systems to monitor boiler
temperatures, turbine performance, and environmental conditions and to control
power generation equipment in real-time.

Power
Distribution – Power distributors use SCADA systems to manage power supply
into their distribution network, manage flow, and monitor supply and demand.

As most SCADA systems are not directly Internet-accessible,
the likely SCADA system compromise path is to compromise a system that has
access to the network on which the SCADA system resides and use that as a
staging point for the attack against the SCADA system. With advanced malware
kits that provide hackers persistent, stealthy remote control this possibility
is very real.

[1]
Cyber Threats and the US Economy, Statement for the Record Before the Joint
Economic Committee on Cyber Threats and the US Economy, John A. Serabian, Jr.,
Information Operations Issue Manager, CIA, February 23, 2000.